Internal

GSoC 2017 Project Summary: major SNARE/Tanner improvements

Student Ravinder Nehra contributed this post as a project summary of his GSoC2017 experience

MySQL Emulator

Previously, Tanner supported SQL Injection using SQLITE but since MySQL is widely used so it is badly needed in my opinion. Also with MySQL, Time-based Blind SQLI can be emulated which can't be done in SQLITE based emulator. It is implemented using aiosql library using the same approach used in SQLITE emulation previously.

Command Execution Emulator

This emulator emulates Command Execution/Injection vulnerability.It is implemented using docker considering its safety features. I used Busybox as default docker image which provides a nice Linux shell, file system and most importantly very light in size. Attack is identified using the regex .*(alias|cat|cd|cp|echo|exec|find|for|grep|ifconfig|ls|man|mkdir|netstat|ping|ps|pwd|uname|wget|touch|while).* and then injected in the busbox docker image to get command injecion results.

Base Emulator Architecture

The previous base emulator didn’t specify a standard way of adding new emulator and the addition of each new emulator make it messier. So I designed a new architecture. This architecture follows find and emulate approach where each emulator has a scan method.

The base emulator calls scan method of each emulator against each GET, POSTparameter and COOKIE value.

Then the base emulator calls the emulator's handle which returned a positive response.

The handle method returns payload and a boolean value that tells whether we have to inject the payload into the same page or a new page.

Depending upon the boolean value, the payload is injected into the most recently visited page.

Padding Oracle Emulator

I'm thinking of implementing padding oracle emulator through cookies but Tanner didn't support attacks through cookies, so first I implemented this feature. But then I was a little confused about what cookie should I set which can be attacked. It becomes a difficult task as we don't have an authentication mechanism which uses cookies. Currently, it has been left on hold.

PHP Code Injection Emulator

It emulates PHP code injection vulnerability. Usually, this type of vulnerability is found where user input is directly passed to functions like eval, assert. To mimic the functionality, user input is converted to the following code <?php eval('$a = user_input'); ?> and then passed to phpox to get php code emulation results.

Snare-Tanner Communication

It provides a defined format of how Tanner's response should be structured so that snare can parse it easily. This is the new response structure. This also added the functionality to return payload in headers.

CRLF Emulator

It emulates CRLF vulnerability. The attack is detected using \r\n pattern in the input. The parameter which looks suspicious is injected as a header with parameter name as header name and param value as header value.